Skip to content
feed: live
>_ 0dayNews
CVE Record
[ CRITICAL ] CVE-2026-56291

Balbooa Forms unauthenticated file-upload RCE

The Balbooa Forms Joomla extension (com_baforms) up to 2.4.0 accepts unauthenticated file uploads that permit dropping a PHP file to the web root, leading to remote code execution. Fixed in 2.4.1. CVSS 9.8. Added to CISA KEV on 2026-07-10.

cat cve-2026-56291.json
Vendor
Balbooa
Product
Forms (Joomla extension, com_baforms)
CVSS
9.8
EPSS (exploit probability)
N/A
Status
kev
Published

CVE-2026-56291 is an unauthenticated arbitrary-file-upload flaw in Balbooa Forms, the com_baforms extension for Joomla. Per NVD, the flaw permits uploading a file “with a dangerous type” — in practice, a PHP file — which the web server then executes when requested, yielding remote code execution as the Joomla process. No authentication is required. CWE-434.

Advisory context

CISA added CVE-2026-56291 to the Known Exploited Vulnerabilities catalog on 2026-07-10, alongside CVE-2026-48939 in iCagenda — a second Joomla extension with the same file-upload-to-RCE shape. Federal due date on both is 2026-07-13.

Discovery and coordinated disclosure came from Phil E. Taylor at mySites.guru, who reports affected versions through 2.4.0 and the fix in 2.4.1. This is the third Joomla-extension add to KEV in four days after the 2026-07-07 additions of Joomlack Page Builder and JoomShaper SP Page Builder.

What to do

Verify whether com_baforms is installed via the Joomla admin’s Extensions Manager or a SELECT * FROM #__extensions WHERE element='com_baforms' query. If present, upgrade Balbooa Forms to 2.4.1 immediately. If the site has been publicly reachable with a vulnerable install, audit images/, template upload directories, and any writable path for unexpected .php or .phtml files, and treat any find as an incident.

Priority guidance and the broader Joomla-extension audit angle are in the article writeup. Canonical NVD record: CVE-2026-56291.